Loading cryptocurrency prices...

Lazarus Group Targets DeFi Firm with Trio of Advanced RAT Malware

Lazarus Group Targets DeFi Firm in 2024 Cyberattack Using Fake Scheduling Sites, Chrome Zero-Day, and Advanced Malware

  • North Korean Hacker group Lazarus ran a 2024 cyber campaign targeting a decentralized finance company.
  • The attackers used social engineering to deliver cross-platform Malware called PondRAT, ThemeForestRAT, and RemotePE.
  • Initial contact happened via fake trading company accounts and scam scheduling websites imitating Calendly and Picktime.
  • The attack led to credential theft, system discovery, and installation of different Remote Access Trojans (RATs).
  • The campaign likely used a Chrome browser zero-day exploit to gain initial entry before switching to more advanced tools.

A cyberattack campaign by the North Korea-linked group Lazarus was detected in 2024, with Hackers targeting an employee of a decentralized finance (DeFi) organization. The incident involved the distribution of three different types of malware—PondRAT, ThemeForestRAT, and RemotePE—to compromise company networks.

- Advertisement -

Researchers at NCC Group’s Fox-IT reported that the hackers started by impersonating a trading company employee on Telegram. They then used fake websites that looked like popular scheduling tools to engage the victim and arrange a meeting. After gaining access to the system, the attackers deployed a loader named PerfhLoader, which installed a simplified form of existing malware known as PondRAT.

“From there, the actor performed discovery from inside the network using different RATs in combination with other tools, for example, to harvest credentials or proxy connections,” said Fox-IT’s Yun Zheng Hu and Mick Koomen. The hackers continued the attack by switching from PondRAT to ThemeForestRAT, and later cleaned up after themselves and installed a more sophisticated tool called RemotePE.

Fox-IT stated that the initial access point is not fully confirmed, but there is some evidence that a then-unknown Chrome browser vulnerability was used. Alongside PondRAT, the attackers installed additional tools such as a keylogger, screenshot utility, Chrome credential and cookie stealer, and proxies including MidProxy and Proxy Mini. Tools like Mimikatz, used to collect passwords, were also found.

The malware programs enabled functions like monitoring for new remote desktop sessions, running shell commands, managing files, and launching further attacks or hiding activity. Fox-IT noted that Cybersecurity-advisories/aa21-048a” target=”_blank” rel=”noopener”>PondRAT has been active since at least 2021, and ThemeForestRAT displays similarities to malware used in the 2014 Sony Pictures Entertainment attack.

- Advertisement -

RemotePE, written in C++, is a more advanced remote access tool delivered via a chain of loaders and is likely intended for high-value targets.

Fox-IT describes the approach as moving from basic tools like PondRAT for initial compromise, then upgrading to more complex malware for broader control, all while minimizing detection.

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

- Advertisement -

Latest News

TSMC Stock Hits Record High on 39% Q3 Profit Surge, AI Demand

TSMC reported a 39% jump in third-quarter profits for 2025, exceeding analyst forecasts. Net income...

Theta Partners with Ulsan HD FC to Launch AI Fan Agent

THETA Network partners with Ulsan HD FC, South Korea’s football club and three-time K...

Semler Scientific Shareholder Sues to Block Strive Bitcoin Merger

A shareholder filed a lawsuit to block the merger of Semler Scientific and Strive,...

The 13 Best Crypto Advertising Networks to Grow Your Project

Why Traditional Ad Networks (Like Google & Facebook) Fail CryptoQuick-View Comparison Table: Top 5...

71 Nations Dump Dollar as Gold Buying Surges, JPMorgan Warns

The share of U.S. dollar reserves worldwide has dropped below 60% for the first...
- Advertisement -

Must Read

How to Buy VPN With Bitcoin Using CyberGhost VPN

In this step-by-step guide, you will learn how to purchase a VPN (Virtual Private Network) subscription using Bitcoin, a popular cryptocurrency, and CyberGhost VPN,...